Organization-Level Password Management Employing User-Device Password Vault

1. A method of operating a management computer to automatically change a password used by a user to authenticate to a service application executing in a service computer system communicatively coupled to the management computer, the service computer system including a service application server and an active directory server, the user having a computerized user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device, the method comprising: monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and in response to occurrence of the event: assigning a new password; generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, the first message being sent via a first interface of the management computer, the first interface coupling the management computer to a first network and the service computer system, the first message being sent to the active directory server to update a user authentication record used by the active directory server in authenticating the user to the service application; and generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, the second message being sent via a second interface of the management computer, the second interface coupling the management computer to a second network and the user device used by the user, wherein generating the second message and sending it to the password management application includes communicating with the user device using a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in the authenticating of the user thereto.

2. The method of claim 1 , wherein assigning the new password includes auto-generating the new password at the management computer.

3. The method of claim 2 , wherein the auto-generating is according to an organization policy.

4. The method of claim 3 , wherein the policy specifies the event signifying that the password is to be changed.

5. The method of claim 3 , wherein the policy specifies a construction of the password including minimum length and required usage of types of characters.

6. The method of claim 1 , wherein the event signifying that the password is to be changed is specified in an explicit organization policy regarding password usage.

7. The method of claim 1 , wherein monitoring for the event includes receiving a notification from either the user device or the service application that a current password was used for an authentication.

8. A management computer, comprising: one or more processors; memory coupled to the processors by a high-speed data bus; and input/output interface circuitry coupled to the memory and the processors by the high-speed data bus, the input/output interface circuitry coupling the management computer to a service computer system and a computerized user device used by a user, the user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device, the memory storing instructions which, when executed by the processors, cause the management computer to operate to automatically change a password used by the user to authenticate to a service application executing in the service computer system, by: (1) monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and (2) in response to occurrence of the event: (a) assigning a new password; (b) generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application; and (c) generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, wherein the instructions, when executed by the processors to cause the management computer to generate the second message and send it to the password management application, cause the management computer to communicate with either the user device or password management server via a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in authenticating the user thereto, wherein the input/output interface circuitry includes a first interface to a first network for coupling the management computer to the service computer system, and includes a second interface to a second network for coupling the management computer to the computerized user device used by the user, and wherein (i) the first message is sent to the service computer system via the first interface, and (ii) the second message is sent to the password management application via the second interface, and wherein the service computer system includes a service application server and an active directory server, and the first message is sent to the active directory server to update a user authentication record used by the active directory server in the authenticating of the user to the service application.

9. The management computer of claim 8 , wherein assigning the new password includes auto-generating the new password at the management computer.

10. The management computer of claim 9 , wherein the auto-generating is according to an organization policy.

11. The management computer of claim 10 , wherein the policy specifies the event signifying that the password is to be changed.

12. The management computer of claim 10 , wherein the policy specifies a construction of the password including minimum length and required usage of types of characters.

13. The management computer of claim 8 , wherein the event signifying that the password is to be changed is specified in an explicit organization policy regarding password usage.

14. The management computer of claim 8 , wherein monitoring for the event includes receiving a notification from either the user device or the service application that a current password was used for an authentication.

15. The management computer of claim 8 , wherein: the computerized user device is one of a plurality of computerized user devices used by respective users, each user device including a respective vault managed by a respective password management application executing either on the respective user device or on the password management server, and the input/output interface circuitry couples the management computer to the plurality of computerized user devices; and the instructions are executed by the processors to cause the management computer to operate to automatically change respective passwords used by respective users by performing steps (1) and (2) for each password change, including: at step (2)(a), assigning a respective new password for the respective user; at step (2)(b), generating a respective first message including the respective new password and including an indication that the service application is to begin using the respective new password to authenticate the respective user to the service application; and at step (2)(c), generating a respective second message and sending it to the respective password management application, the respective second message including the respective new password and an indication that the respective new password is to replace a respective current password in the vault of the respective user device for use in authenticating the respective user to the service application.

16. A computer system, comprising: a service computer system executing a service application; a computerized user device including a vault in which active passwords are stored, the passwords including a password used by a user to authenticate to the service application, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device; and a management computer used to automatically change the password used by the user to authenticate to the service application, the management computer being configured and operative to monitor for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and in response to occurrence of the event (1) assign a new password, (2) generate a first message and send it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, and (3) generate a second message and send it to the password management application using a vault application programming interface (API), the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, the password management application being configured and operative, in response to communications from the management server using the vault API, to (i) enable the management server to manage contents of the password vault and operation of the password management application, and (ii) in response to the second message using the vault API, to store the new password in the vault in association with an identification of the service application for subsequent use by the user device in authenticating the user to the service application, wherein the management computer includes a first interface to a first network for coupling the management computer to the service computer system, and includes a second interface to a second network for coupling the management computer to the computerized user device used by the user, and wherein (i) the first message is sent to the service computer system via the first interface, and (ii) the second message is sent to the password management application via the second interface, and wherein the service computer system includes a service application server and an active directory server, and the first message is sent to the active directory server to update a user authentication record used by the active directory server in the authenticating of the user to the service application.

17. The computer system of claim 16 , wherein assigning the new password includes auto-generating the new password at the management computer.

18. The computer system of claim 16 , wherein the event signifying that the password is to be changed is specified in an explicit organization policy regarding password usage.